bug #7833
submitters can access see any registration in any RegistrationWorkingSet
100%
Description
Submitters can access any RegistrationWorkingSet where the registrations are all visible.
Registrations where the submitter is not the Registration.submitter should be hidden though.
The submitter can search for the reference via the "New Registration" view where existing publications can be selected.
. Clicking on "Continue" will get the submitter to the according RegistrationWorkingSetView where unpublished registrations can be visible. Seeing unpublished Registrations is ok as far as the publication has been published in the past!
Conclusion:
- Unpublished references must be hidden from the select in the "New Registration"
- RegistrationWorkingSet unpublished references must only be accessible for submitters which have
UPDATEpermission | which are the creator ?? for this Reference.
Solved among others by implementing the following in RegistrationWorkingSetService:
public boolean isPermissionDenied(Reference reference) {
boolean permissionDenied = false;
if(!checkReferencePublished(reference)){
permissionDenied = !userHelper.userHasPermission(reference, CRUD.UPDATE);
}
return permissionDenied;
}
public boolean checkReferencePublished(Reference reference) {
...
}
Related issues
Associated revisions
ref #7833 restricting access to RegistrationWorkingsetView:
- AccessRestrictedViewControlBean to evaluate AccessRestrictedView.isAccessDenied()
- refactoring AccessRestrictedView class hierarchy
ref #7833 fixing inversly interpreted access denied
ref #7833 registration start view only shows references for which the user has permissions
ref #7833 registration start view excludes unpublished references
ref #7833 another method for UserHelper to scan for permissions
ref #7833 fixing null-view bug
ref #7833 permission checking in RegistrationWorkingSetService
ref #7833 adding missing check for anonymous authentication tokens to CdmUserHelper
History
#1 Updated by Wolf-Henning Kusber about 2 years ago
RegistrationWorkingSet Unpublished references must only be accessible for submitters which have UPDATE permission | which are the creator ?? for this Reference.
Comment: Yes, if the publication is unpublished = a new workingset for new names and types.
Problem: published references of basionyms or replacement names or even old species epithets, needet for an infraspecific epithet. If those are needed for other new registrations they might be necessary.
#2 Updated by Andreas Kohlbecker about 2 years ago
- Status changed from New to Feedback
- Assignee changed from Andreas Kohlbecker to Wolf-Henning Kusber
Hallo Henning,
ich denke dieses Ticket sollten wir unbedingt noch lösen bevor wir externe Submitter zulassen.
Also highest und noch in diesem Release?
Andreas
#3 Updated by Wolf-Henning Kusber about 2 years ago
- Assignee changed from Wolf-Henning Kusber to Andreas Kohlbecker
Unpublished references must be hidden from the select in the "New Registration" makes sense.
Question (2): creator = person or working set submitter?
A content issue: An author might work on a second unpublished article on names of a first unpublished article.
#4 Updated by Andreas Kohlbecker about 2 years ago
- Assignee changed from Andreas Kohlbecker to Wolf-Henning Kusber
Wolf-Henning Kusber wrote:
Unpublished references must be hidden from the select in the "New Registration" makes sense.
Question (2): creator = person or working set submitter?
This is the workingset submitter-
A content issue: An author might work on a second unpublished article on names of a first unpublished article.
This should not be a problem since both references are unpublished but accessible for the submitter.
#5 Updated by Andreas Kohlbecker about 2 years ago
Issue solved, please review.
#6 Updated by Andreas Kohlbecker about 2 years ago
- Precedes feature request #7968: ReferenceEditor: optional validation for completenes of Partial values in datePublished added
#7 Updated by Wolf-Henning Kusber about 2 years ago
- Assignee changed from Wolf-Henning Kusber to Andreas Kohlbecker
Submitter can currently view/update unpublished references and datasets entered by the curator or a.
#8 Updated by Andreas Kohlbecker about 2 years ago
- Status changed from Feedback to Resolved
- Assignee changed from Andreas Kohlbecker to Wolf-Henning Kusber
- % Done changed from 0 to 60
Wolf-Henning Kusber wrote:
Submitter can currently view/update unpublished references and datasets entered by the curator or a.
This issue is solved now, please test again.
#9 Updated by Wolf-Henning Kusber about 2 years ago
- Assignee changed from Wolf-Henning Kusber to Andreas Kohlbecker
- % Done changed from 60 to 100
Review: Submitter cannot see entries of other submitters. Security problem solved.
#10 Updated by Andreas Kohlbecker about 2 years ago
- Status changed from Resolved to Closed
#11 Updated by Andreas Kohlbecker almost 2 years ago
- Description updated (diff)
- Status changed from Closed to Rejected
